Security Assertion Markup Language

Security Assertion Markup Language (SAML) is the XML-based federation protocol used by NetScaler and other enterprise gateways to provide single sign-on across applications. CitrixBleed 3 (CVE-2026-3055) specifically targets the NetScaler SAML Identity Provider path: a crafted SAMLRequest to `/saml/login` that omits the AssertionConsumerServiceURL field causes the appliance to leak memory via the `NSC_TASS` cookie. Exploiting the leak gives attackers SAML session tokens, allowing them to bypass authentication entirely for any application protected by the compromised SAML broker.

SAML 2.0, standardised in 2005, remains the dominant federation protocol in enterprise environments, particularly for on-premises and hybrid deployments where newer OAuth/OIDC-based federation is not yet deployed. NetScaler's position as a SAML IdP in many large enterprises means that a memory-disclosure vulnerability in the SAML endpoint can provide authenticated access to hundreds of downstream applications from a single exploit.

For enterprise architects evaluating identity infrastructure, the CitrixBleed series (three critical memory CVEs in 30 months) in the NetScaler SAML path is the practical argument for migrating SAML brokerage off NetScaler to Cloud-native IdP services where the SAML processing occurs inside the IdP vendor's managed infrastructure rather than a customer-operated appliance. The migration cost is high; so is the serial-CVE lottery.